CVE-2025-56120
Published: 11 December 2025
Summary
CVE-2025-56120 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-X60 Pro. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of all system inputs, directly preventing OS command injection by ensuring crafted POST request parameters to module_set are sanitized before processing in the vulnerable Lua script.
SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating this CVE through firmware patching or code fixes in config_retain.lua.
AC-6 enforces least privilege on accounts, limiting the damage from arbitrary command execution by low-privileged (PR:L) attackers exploiting the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via crafted POST request to web interface enables exploitation of public-facing application (T1190) and remote command execution on network device CLI/interpreter (T1059.008).
NVD Description
OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
Deeper analysisAI
CVE-2025-56120 is an OS Command Injection vulnerability (CWE-78) in the Ruijie X60 PRO device, specifically firmware versions V1.00 and V2.00 for model X60_10212014RG-X60 PRO. The flaw exists in the module_set function within the file /usr/local/lua/dev_config/config_retain.lua, where attackers can execute arbitrary commands via a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
Attackers with low privileges (PR:L), such as authenticated users, can exploit this vulnerability over the network without user interaction. By crafting a malicious POST request to the module_set endpoint, they achieve remote execution of arbitrary OS commands, enabling full control over the affected device.
Mitigation details are covered in vendor advisories and reports available at the following references: https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh, https://1drv.ms/t/c/12406a392c92914b/EZf6v9BXDpFAs09oCidKJ8oBXclUWtjyMcQv3DgMfISkJg?e=MyjOdI, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56120.md.
Details
- CWE(s)